Five lessons from the Distribute.IT hosting disaster
Wednesday, June 22, 2011/
The cyber-attack that crippled Melbourne-based web hosting provider Distribute.IT has left thousands of customers furious, with the data of almost 5,000 websites now deemed completely unrecoverable.
But the debacle has brought to light just how fickle the cloud can be. Combined with a security breach earlier this week form DropBox and the massive cyber-attack against Sony, businesses everywhere are talking about cloud-based security.
With that in mind, here are five lessons SMEs should take away from the Disribute.IT disaster.
Grill your hosting provider
If business owners learn nothing else from the Distribute.IT catastrophe, then it should be this – you must grill your hosting provider about what is exactly being done to prevent such a situation happening to you.
Many SMEs admittedly don’t have the expertise or the time to learn every little detail about their IT infrastructure, and that’s fine. But when attacks can now bring down entire businesses, now is the time to start learning.
Business owners and managers need to call their hosting providers and make sure the Distribute.IT situation cannot be repeated. Ensure their security is up to date, that multiple backups are being made, and that you have a contingency plan.
“The cloud may not be as good as it seems,” Sophos head of technology Asia Pacific, Paul Ducklin warns.
“Cloud providers may give you many sorts of service agreements and guarantees, but having your data protected by a piece of paper may not be enough.”
“Particularly if that agreement doesn’t turn out to be worth any more than the piece of paper it’s written on.”
Have your IT managers sit in on calls to your providers to translate jargon, and make sure you question them as well on what would happen if a similar attack occurred to your business. Make sure you have plenty of backups so that even in a worst-case scenario, you can continue trading.
Security firms such as AVG and Symantec regularly release new threat reports that state hundreds of thousands of small businesses are suffering cyber-attacks. It will happen to you, and it will happen to your hosting provider eventually – don’t get caught empty-handed when it does.
Think twice about the cloud
Having a hosted solution is great for business. After all, the growth of cloud-based software is helping a lot of companies keep their backups secure for cheap, and reduces them of the burden of having to manage their own infrastructure.
But Ducklin says SMEs don’t need to dismiss on-site infrastructure so quickly.
“We’re in a cloud honeymoon period at the moment, but it’s important to bear in mind that if you’re one of those guys saying it hasn’t happened to you, and you want to wait as long as you can before you take your first step, then perhaps you should get walking.”
Ducklin says there’s nothing wrong with hosting your own infrastructure on-site. In fact, he says if you want to complement or even replace your cloud solution with servers that you know and trust, then that’s the option you should take.
“At least if you can do it yourself, you can see the backups being made, and once in a while you can get your employee or contractor to show you that it’s all working properly. It’s much, much cheaper now to do this.”
“It’s not that you’ve gone crazy, or are behind the times, it’s just that you’ve done the risk analysis differently. If something goes wrong, you can honestly say to your customers that you know what’s going on, and not have to wait for a third-party hosting provider to communicate back to you.”
Don’t skimp on hosting
If you do decide to host in the cloud, then you should be prepared. And one of the ways you can do this is set aside a significant amount of your technology budget to sign up with a trusted service provider.
Distribute.IT was not the most expensive provider around, and as one customer told SmartCompany this morning, “you get what you pay for”. Don’t fall into the same trap – companies like MegaBuy Group can attest to how damaging website outages can be.
Be prepared to spend a lot of money getting your site online, and hosted by a reputable provider. It simply isn’t worth taking the risk, especially when you can lose everything.
Get your security on track
One of the scariest aspects of hacking groups like Anonymous, LulzSec and various other attackers is that they seemingly target groups and websites at random. Businesses have been caught in the middle of the fray as well.
Your business will suffer a cyber-attack at some point. Perhaps not from these more prominent groups, but it is highly likely that eventually some outsider will try and steal confidential information from your servers – credit card details, login information, and so on. These experts say you had better be prepared when it does.
“Make sure you get your staff up to speed,” AVG security export Lloyd Borrett says. “Make sure they are educated, and you have security policies in place.”
“Keep in mind it’s not just about the technology, although that’s an important first step. You need to have your staff and people in place, and make sure they report anything suspicious, then make sure it’s addressed.”
Keep up to date
For many entrepreneurs technology is exciting, but for others it’s merely an inconvenience. Keeping up to date with the latest news in Trojan bugs and Exchange servers is the last thing from their mind.
Unfortunately for them, technology is now an everyday part of business. The same types of security attacks will continue to be targeted at hosting companies like Distribute.IT, and as a result, SME owners must keep up to date with the latest news in security.
AVG and Symantec publish regular reports on the latest threats, (AVG’s second quarter threat monitor was just released today), which detail the latest, most popular attacks hackers are using to steal information.
This doesn’t need to be a complicated process. Simply read the news and keep up to date with what types of attacks are occurring, then make sure you’re protected.
Even if this involves simply sitting down with your IT manager or contractor and having them explain all of this to you, such as the latest threats, new technology and so on, is beneficial. But act on this – make sure that same IT manager is doing everything in their power to make sure your business is safe against these attacks.